Back

Trigona Ransomware Group Deploys Custom Exfiltration Tool for Data Theft

Severity: High (Score: 71.0)

Sources: Gbhackers, www.acronis.com, Scworld, www.security.com, Bleepingcomputer

Summary

In March 2026, the Trigona ransomware group, which operates as a Ransomware-as-a-Service (RaaS), utilized a newly developed custom tool named 'uploader_client.exe' to enhance their data exfiltration capabilities. This tool allows for rapid and stealthy data theft, targeting high-value documents such as invoices and PDFs stored on network drives. The shift from commonly used utilities like Rclone and MegaSync to proprietary malware indicates a strategic move to avoid detection by security solutions. The attackers also employed the Huorong Network Security Suite tool HRSword to disable security measures on compromised systems, followed by the use of various other tools to facilitate credential theft and remote access. Notably, AnyDesk was used for remote access, while Mimikatz and Nirsoft tools were leveraged for credential harvesting. Despite disruptions to their operations in late 2023, Trigona affiliates have resumed attacks, indicating a persistent threat to organizations. Symantec has issued indicators of compromise (IoCs) to assist in detection and prevention efforts. Key Points: • Trigona ransomware group has introduced a custom exfiltration tool for enhanced data theft. • The tool, 'uploader_client.exe', allows for rapid data transfer and evasion of security measures. • Recent attacks indicate a resurgence of Trigona operations despite previous disruptions.

Key Entities

  • Rhantus (apt_group)
  • Ransomware (attack_type)
  • CWE-269 - Improper Privilege Management (cwe)
  • ransomlook.io (domain)
  • 163.172.105.82 (ipv4)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021.001 - Remote Desktop Protocol (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1046 - Network Service Discovery (mitre_attack)
  • Linux (platform)
  • Windows (platform)
  • Tor (platform)
  • Trigona (ransomware_group)
  • 0b679027e38f3d9ca554085be0e762c651e83e6414401b56635cdf3765ca1dac (sha256)
  • 0ce7badb26174b6129fb13d7e255e582f84d8aaedeabcd02c80d84a609144068 (sha256)
  • 1433aa8210b287b8d463d958fc9ceeb913644f550919cfb2c62370773799e5a5 (sha256)
  • 1588023393eb6b4d9433d539d303ecb56b6c3630e860f94d1a137834bdedf2bd (sha256)
  • 205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964 (sha256)
  • AnyDesk (tool)
  • DCPcipher (tool)
  • DumpGuard (tool)
  • GMER (tool)
  • HRSword (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed